SSHD - logging

By kimot, 25 December, 2022

First create or check if exists logfile and config file on bash:

touch /var/log/syslog.log
touch /QOpenSys/etc/syslog.conf

Edit Syslog config file:

EDTF '/QOpenSys/etc/syslog.conf'

It should contain information where log file remains

auth.info /var/log/syslog.log

or

*.info /var/log/syslog.log

Then edit SSHD config file:

EDTF '/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config'

Under # Logging section shoul be

LogLevel INFO

or another level of logging DEBUG e.g

To start syslog daemon run this command:

QSH CMD('/usr/sbin/syslogd')

Now you can check is /var/log/syslog.log is filling with informations about users logged by SSHD

 

Syslog daemon should run under QINTER subsystem

QP0ZSPWP     USERXX     BCI      .0  PGM-syslogd      SELW

You can end this job if you want to stop syslog daemon.

Another option to stop syslog daemon is by PASE
First check syslog daemon process number in /QOpenSys/etc/syslog.pid file
or by command in bash

ps -ef | grep syslogd

Then just run kill with_process_number in bash

If logging doesn't work properly you can try to restart sshd server

ENDTCPSVR *SSHD

STRTCPSVR *SSHD

 

SYSLOGD Flags :
-a    Suppresses the reverse host name lookup for the messages coming from the remote host
-A    Specifies additional logs that the syslogd daemon checks. By default, the syslogd daemon checks the /dev/log file for messages
-d    Turns on debugging
-s    Specifies to forward a "shortened" message to another system
-n    Suppresses the "Message forwarded from <log_host_name>: " string added to the beginning of the syslog message that is forwarded to a remote log host
-N    Suppresses logging of priority and facility information for each log message
-r     Suppresses logging of messages received from remote hosts
-m    Specifies the number of minutes between the mark command messages
-p    Specifies an alternate path name for the datagram socket
-f     Specifies an alternate configuration file
-M   Specifies not to suppress duplicate messages in logfile. This flag is valid only if used with the all argument.

 

SYSLOG Conf:
Facility names   kern|user|mail|daemon|auth|syslog|lpr|news|uucp|local0..local7|*
Priority levels    emerg|alert|crit|err|warning|notice|info|debug|none